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CCNA Security Lab 18 - Cisco IOS Zone-Based Policy Firewall - SDM 

Lab 18 


Cisco Zone-Based Policy Firewall 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how use 
Cisco SDM to configure the Zone-Based Policy Firewall in Cisco IOS router. 

Lab Purpose: 

The Cisco SDM One-Step Lockdown feature tests your router configuration for any 
potential security problems and automatically makes any necessary configuration 
changes to correct any problems found. This is similar to the Cisco IOS Auto 
Secure feature. 

Lab Difficulty: 

This lab has a difficulty rating of 7/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



Lab 18 Configuration Tasks 
Task 1: 

Configure the hostnames and IP addresses on R1 and R2 as illustrated in the 
network diagram. Configure R2 to send R1 clocking information at a rate of 
768Kbps. In addition, configure a static default route on R2 via its SerialO/O 
interface. Ping between R1 and R2 to verify your configuration and ensure that 
the two routers have IP connectivity. 

Task 2: 

Configure Host 1 with the IP address illustrated in the diagram and a default 
gateway pointing to Rl. Verify that Host 1 can ping R1 and R2. 

Task 3: 

Configure a username of sdmadmin with 
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domain name howtonetwork.net. 

Configure R1 to authenticate HTTPS users based on the local username and 
password pair configured on the router. 

Task 4: 

Using SDM (from Host 1), configure ZPF on R1 using the following parameters 

FastEthernetO/O should be the inside/trusted interface 

SerialO/O should be outside/untrusted interface 

Configure ZPF for Medium security 

Use the DNS server 172.16.1.254 

Test your configuration by pinging from Host 1 to R2 and validate that this 
works. However, a ping from R2 to Host 1 should not work. 

Lab 18 Configuration and Verification 
Task 1: 

Router(config)#hostname R1 
Rl(config)#int fO/O 

Rl(config-if)#ip address 172.16.1.1 255.255.255.0 

Rl(config-if)#no shutdown 
Rl(config-if)#exit 
Rl(config)#int sO/O 

Rl(config-if)#ip address 10.1.1.1 255.255.255.252 

Rl(config-if)#no shut 
Rl(config-if)#exit 
Rl(config)#exit 
Rl# 

Router(config)#hostname R2 
R2(config)#int sO/O 

R2(config-if)#ip address 10.1.1.2 255.255.255.252 
R2(config-if)#clock rate 768000 

R2(config-if)#no shut 
R2(config-if)#exit 

R2(config)#ip route 0.0.0.0 0.0.0.0 seO/O 

R2(config)#exit 

R2# 

R2#ping 10.1.1.1 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: 


11111 




Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/9 ms 

Task 2: 


«' Command Prompt 


HEJB 


C:\>ipconfig 

kiindows IP Conf iguration 


EtliornoC adaptor Local Area Connect: Ion 2: 


Connect ion—spec ific DNS Suffix 
IP Address ........... 

Subnet Mask .......... 

Default Gateway ........ 


172.16.1.254 

255.255.255.0 

172.16.1.1 


Ethernet adapter Wireless Network Connection: 

Media State Media disconnected 


3 :\> 

3:\>ping 172.16.1 


Pinging 172.16.1.1 with 32 bytes of data: 


Reply fron 172.16.1.1: bytes *32 tino*lns TTL"255 
Reply fron 172.16.1.1: bytes "32 tine ■•Iras TTL —255 
Reply fron 172.16.1.1: bytes-32 tine*lne TTL-255 
Reply fron 172.16.1.1: bytes-32 tine-Ins TTL-255 


Piny statistics for 172.16.1.1: 

Packets: Sent — 4, Received — 4, Lost — 0 <0x loss), 
Approxinate found trip tines in nilli—seconds: 

Mininun — Ins. Maxinun — Ins. Average — Ins 


C:\> 

C:\>ping 10.1.1.2 


Pinging 10.1.1.2 with 32 bytes of data: 


Reply f i-on 10.1.1.2: bytes “32 t ine “2ns TTL-255 
Reply ffon 10.1.1.2: bytes-32 tine —2ns TTL-255 
Reply ffon 10.1.1.2: bytes-32 tine-2ns TTL-25S 
Reply ffon 10.1.1.2: bytes-32 tine-2ns TTL-255 


Ping statistics for 10.1.1.2: 

Packets: Sent - 4. Received — 4. Lost — 0 <0x loss), 
Approxinate found trip tines in nilli—seconds: 

Mininun — 2ns. Maxinun — 2ns. Average — 2ns 


C :N> 


Task 3: 

Rl(config)#username sdmadmin privilege 15 secret security 
Rl(config)#ip domain-name howtonetwork.net 
Rl(config)#crypto key generate rsa 

The name for the keys will be: Rl.howtonetwork.net 
Choose the size of the key modulus in the range of360 to 2048 for your 
General Purpose Keys. Choosing a key modulus greater than 512 may take 


a few minutes. 


How many bits in the modulus [512]: 

% Generating 512 bit RSA keys, keys will be non-exportable.,.[0K] 

Rl(config)#ip http secure-server 
Rl(config)#ip http authentication local 

Rl(config)#exit 

Rl# 


Task 4: 









For a reference on how to initialize and access SDM, please refer to the solutions in Lab 17. 

From the Firewall screen, select the Basic Firewall radio button and then click the Launch selected task radio 
button at the bottom of the screen: 


Cisco Router And Security Device Monoger (SDM): 172.16.1.1 


Filo Edit Vlow Tools Help 


Home 




:» Firewall 


Refmih 
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Firewall ind ACL 


Create Firewall Edit Firewall Policy 

SDM can guide you Ihrough F1r0w.aU configuration Soloct a task. th»n click 
Launch tho selected task 

<* Dd»lc hi owdll 

Use Desic Firewei wuwd to apply pre defned rules to protect your private 
network from the most common attack s Desk: Firewai wa not alow you to 
configure DMZ services (for example. WWW. FTP) 


Advanced f ircwall 

Use Advanced Frewafl wizard to apply rtll« pre-defned ruler, or your own 
customzed rules to protect you private network from the most common attacks 
Advanced I vewafl wt alow you to configure DM/ services (for example, VWAV, 
FTP) 

Launch tho soloctod task 



How do I How Do I Configure a Firewall on an Unsupported Interface** 


t3 


..I...I.. 

CISCO 


Use Case Scenario 


Inwd* Outakk 
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On the Basic Firewall Configuration Wizard screen, click on Next to continue: 


r3 








File Edit view 

Tools Help 







Home 
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^ J Monitor 
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C ISCO 



[ Firewall Wizard 



Firewall Wizard 

(lASlc Two wall ( outturn .it ion Wizard 



Basic Firewall will allow you secure yout Internet access router fast and easily It 
use pre defined njier, to allow private network users to accer.r, the Internet, and 
protects yuur prrvale network from the most common outside attacks 



Basic Firewall 



* Applios default policies to insldo (trusted) and outsido (untrastod) zones 



• Inspect TCP UDP ond other protocol*- ffom Insldo zone to outside zone a*- well a*- 



router-generated ICMP traftlc 



• Block http port misuse for im.p?p an well an block all men. yahoo, aol server . »nd 
write the event to log 



• Deny traffic from outr.ide zones lo insldo zones 



To continue, click Next 
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Next - _| Canti-l | Help j 


Mow do i How Do I Configure a Firewall on an Unsupported Interface? 


:t 
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Click on the relevant checkboxes to ensure that FaO/O is the inside/trusted interface and SeO/O is the 
outside/untrusted interface as illustrated below and click on Next to continue: 































Firnwall and ACL 
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On the next screen, drag the scroll bar to Medium Security and click Next to continue: 



On the Basic Firewall Domain Name Server Configuration screen, enter the IP address of the DNS server and click 
on Next to continue: 




























On the Firewall Configuration Summary screen, click on Finish to continue: 
















































Allow download witn far.track.gnotn.1 a and kazaa? with log 
Application Inspection for Email 

Log invalid command for lmap.pop3 
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Inspoct router genoratod ICMP traffic 
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Deny ail othor traffic 

DNS Configuration 
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Secondary DNS Not r.nt 
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How do l How DO I Configure a Firewali on an unsupported Inlerfar o'? 


Firewall and ACL 
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Once SDM has configured the router, click on Ok to complete your configuration: 

[FileEdit View Tools Help 

[-jJ] Mwnit Configuri* ^ Monitor 


aaa 


Save 


.•|i.i|.. 

CISCO 


Firewall Wizard 



Pr«panng commands for delivery 
Submitting 344 command-., please watt 
Submitting 344 command-., pteaso wad 
Submitting 344 commands, please wad 
Configuration delivered to router 



How do I | how Do I Configure a f irewaii on an Unsupported interface? 

Configuration dolrvorod to router 




Mrowiill Cotiftqiir.ilion Summary 

Application Inspection for Instant Messaging 


r.. • —■ -.* .-.- 

Commands Delivery Status 


1 Commend Delivery 8tatus: 



Pack | _ | Finish I Cancel | Help 
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Click 0k again and you will be redirected to the Edit Firewall Policy screen as follows: 


Cisco Router and Security Do vice Manager (SDM): 172.16.1.1 
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I Configuration dolrvored to router 01 42 31 UTCFnMarOI 2002 

To validate your configuration, click on Monitor — on the top Taskbar next to Configure. This will bring you to the 
Firewall Status screen. Select the sdm-zp-in-out policy and click on the Monitor Policy radio button to start 
monitoring ZPF: 



Send a continuous ping from Flost 1 to R2 using the ping — t 10.1.1.2 command - on Windows-based workstations. 
In addition to this, open up another window and Telnet from Flost 1 to R2. If your SDM configuration is correct, you 
will see the following sessions: 
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Lab 18 Configurations 
R1 Configuration 

Rl#show run 

Building configuration... 


Current configuration : 10919 bytes 


































version 12.4 


service timestamps debug datetime msec 
service timestamps log datetime msec 

no service password-encryption 
! 

hostname R1 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

no logging buffered 
no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wicO 
ip cef 


ip domain name howtonetwork.net 
ip name-server 172.16.1.254 
! 

multilink bundle-name authenticated 
parameter-map type protocol-info msn-servers 
server name messenger.hotmail.com 
server name gateway.messenger.hotmail.com 
server name webmessenger.msn.com 

parameter-map type protocol-info aol-servers 
server name login.oscar.aol.com 
server name toc.oscar.aol.com 
server name oam-d09a.blue.aol.com 

parameter-map type protocol-info yahoo-servers 
server name scs.msg.yahoo.com 

server name scsa.msg.yahoo.com 
server name scsb.msq.vahoo.com 



server name scsc.msg.yahoo.com 
server name scsd.msg.yahoo.com 
server name csl6.msg.dcn.yahoo.com 
server name csl9.msg.dcn.yahoo.com 
server name cs42.msg.dcn.yahoo.com 
server name cs53.msg.dcn.yahoo.com 
server name cs54.msg.dcn.yahoo.com 
server name adsl.vip.scd.yahoo.com 
server name radiol.launch.vip.dal.yahoo.com 
server name inl.msg.vip.re2.yahoo.com 
server name datal.my.vip.sc5.yahoo.com 
server name addressl.pim.vip.mud.yahoo.com 
server name edit.messenger.yahoo.com 
server name messenger.yahoo.com 
server name http.pager.yahoo.com 
server name privacy.yahoo.com 
server name csa.yahoo.com 
server name csb.yahoo.com 
server name csc.yahoo.com 


crypto pki trustpoint TP-self-signed-533650306 
enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-533650306 
revocation-check none 
rsa key pair TP-self-signed-533650306 
! 

! 

crypto pki certificate chain TP-self-signed-533650306 
certificate self-signed 02 

30820249 308201B2 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 

69666963 6174652D 35333336 35303330 36301E17 0D303230 33303130 31313730 
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 33363530 
33303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 


A10043E2 FB10C1D1 BA18F3AD 554F081C ACA14F4C EA48E0C1 4739653D B7759EE7 



8EB29881 7F391723 E2BB7EC6 54EB6F25 B4E94520 DF8DA15C 3B9E6F7C 3AA57549 


80AB643F A9427071 965DD56A 2D3E60CE 775F2ED5 C9014FCD F313F3EB B5189F62 
09F461BC 32E3E78F F93C8B07 0740DDA8 7B880D1B A3185787 CE621B35 3511A9D5 
02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D 
11041730 15821352 312E686F 77746F6E 6574776F 726B2E6E 6574301F 0603551D 
23041830 168014CD 63D2C471 B7ABA4AC F9C2B602 0D4A8954 71C7F930 1D060355 
1D0E0416 0414CD63 D2C471B7 ABA4ACF9 C2B6020D 4A895471 C7F9300D 06092A86 
4886F70D 01010405 00038181 000421F1 1957D29B D8DE3CC5 F7C72CC6 F9113BFE 
7E0D2AB0 73603E37 E385EA4D EAE0C148 1DBCB188 37A39B5F CF2DBEE5 75C81687 
5E9F80A3 5DE7C965 32B6DD69 149A9F8B D1714D7E C33FBAC2 2A9E05BD 610F7CBA 
F78912D6 117F4462 7E72FC42 3248CAB0 D77D0E01 23D65CC6 CA67EEEE 178E34DD 
261D7EB6 EB6B7217 C4DCEE69 FI 
quit 

! 

! 

username sdmadmin privilege 15 secret 5 $l$PkTA$zhgv4R2GZyOKJFIXGFIahyLl 
archive 
log config 
hidekeys 


class-map type inspect imap match-any sdm-app-imap 
match invalid-command 

class-map type inspect match-any sdm-cls-protocol-p2p 
match protocol edonkey signature 
match protocol gnutella signature 
match protocol kazaa2 signature 

match protocol fasttrack signature 

match protocol bittorrent signature 

class-map type inspect match-any sdm-cls-insp-traffic 

match protocol cuseeme 

match protocol dns 

match protocol ftp 

match protocol h323 

match protocol https 



matcn protocol icmp 

match protocol imap 

match protocol pop3 

match protocol netshow 

match protocol shell 

match protocol realmedia 

match protocol rtsp 

match protocol smtp extended 

match protocol sql-net 

match protocol Streamworks 

match protocol tftp 

match protocol vdolive 

match protocol tcp 

match protocol udp 

class-map type inspect match-all sdm-insp-traffic 
match class-map sdm-cls-insp-traffic 

class-map type inspect gnutella match-any sdm-app-gnutella 
match file-transfer 

class-map type inspect match-any SDM-Voice-permit 
match protocol h323 
match protocol skinny 
match protocol sip 

class-map type inspect msnmsgr match-any sdm-app-msn-otherservices 
match service any 

class-map type inspect ymsgr match-any sdm-app-yahoo-otherservices 
match service any 

class-map type inspect match-all sdm-protocol-pop3 
match protocol pop3 

class-map type inspect match-any sdm-cls-icmp-access 
match protocol icmp 
match protocol tcp 
match protocol udp 

class-map type inspect match-any sdm-cls-protocol-im 
match protocol ymsgr yahoo-servers 
match protocol msnmsgr msn-servers 
match protocol aol aol-servers 

class-map type inspect aol match-any sdm-app-aol-otherservices 
match service any 

class-map type inspect pop3 match-any sdm-app-pop3 




match invalid-command 

class-map type inspect kazaa2 match-any sdm-app-kazaa2 
match file-transfer 

class-map type inspect match-all sdm-protocol-p2p 
match class-map sdm-cls-protocol-p2p 

class-map type inspect http match-any sdm-http-blockparam 

match request port-misuse im 

match request port-misuse p2p 

match req-resp protocol-violation 

class-map type inspect match-all sdm-protocol-im 

match class-map sdm-cls-protocol-im 

class-map type inspect match-all sdm-icmp-access 

match class-map sdm-cls-icmp-access 

class-map type inspect match-all sdm-invalid-src 

match access-group 100 

class-map type inspect ymsgr match-any sdm-app-yahoo 
match service text-chat 

class-map type inspect msnmsgr match-any sdm-app-msn 
match service text-chat 

class-map type inspect edonkey match-any sdm-app-edonkey 
match file-transfer 
match text-chat 
match search-file-name 

class-map type inspect http match-any sdm-app-httpmethods 

match request method bcopy 

match request method bdelete 

match request method bmove 

match request method bpropfind 

match request method bproppatch 

match request method connect 

match request method copy 

match request method delete 

match request method edit 

match request method getattribute 

match request method getattributenames 

match request method getproperties 

match request method index 

match request method lock 



match 

request 

method 

mkcol 

match 

request 

method 

mkdir 

match 

request 

method 

move 

match 

request 

method 

notify 

match 

request 

method 

options 

match 

request 

method 

poll 

match 

request 

method 

propfind 

match 

request 

method 

prop patch 

match 

request 

method 

put 

match 

request 

method 

revadd 

match 

request 

method 

revlabel 

match 

request 

method 

revlog 

match 

request 

method 

revnum 

match 

request 

method 

save 

match 

request 

method 

search 

match 

request 

method 

setattribute 

match 

request 

method 

startrev 

match 

request 

method 

stoprev 

match 

request 

method 

subscribe 

match 

request 

method 

tra ce 

match 

request 

method 

unedit 

match 

request 

method 

unlock 

match 

request 

method 

unsubscribe 

class-map type 

inspect edonkey match-any sdm-app-edonkeychat 


match search-file-name 
match text-chat 

class-map type inspect fasttrack match-any sdm-app-fasttrack 
match file-transfer 

class-map type inspect http match-any sdm-http-allowparam 
match request port-misuse tunneling 
class-map type inspect match-all sdm-protocol-http 
match protocol http 

class-map type inspect edonkey match-any sdm-app-edonkeydownload 
match file-transfer 

class-map type inspect match-all sdm-protocol-imap 
match protocol imap 

class-map type inspect aol match-any sdm-app-aol 


match service text-chat 



policy-map type inspect sdm-permit-icmpreply 
class type inspect sdm-icmp-access 
inspect 

class class-default 
pass 

policy-map type inspect p2p sdm-action-app-p2p 
class type inspect edonkey sdm-app-edonkeychat 
log 
allow 

class type inspect edonkey sdm-app-edonkeydownload 
log 
allow 

class type inspect fasttrack sdm-app-fasttrack 
log 
allow 

class type inspect gnutella sdm-app-gnutella 
log 
allow 

class type inspect kazaa2 sdm-app-kazaa2 
log 
allow 

class class-default 

policy-map type inspect http sdm-action-app-http 
class type inspect http sdm-http-blockparam 
log 
reset 

class type inspect http sdm-app-httpmethods 
log 
reset 

class type inspect http sdm-http-allowparam 
log 
allow 

class class-default 

policy-map type inspect imap sdm-action-imap 
class type inspect imap sdm-app-imap 
log 

class class-default 



policy-map type inspect pop3 sdm-action-pop3 
class type inspect pop3 sdm-app-pop3 
log 

class class-default 

policy-map type inspect im sdm-action-app-im 
class type inspect aol sdm-app-aol 
log 
allow 

class type inspect msnmsgr sdm-app-msn 
log 
allow 

class type inspect ymsgr sdm-app-yahoo 
log 

allow 

class type inspect aol sdm-app-aol-otherservices 
log 
reset 

class type inspect msnmsgr sdm-app-msn-otherservices 
log 
reset 

class type inspect ymsgr sdm-app-yahoo-otherservices 
log 
reset 

class class-default 
policy-map type inspect sdm-inspect 
class type inspect sdm-invalid-src 
drop log 

class type inspect sdm-protocol-http 
inspect 

service-policy http sdm-action-app-http 
class type inspect sdm-protocol-imap 
inspect 

service-policy imap sdm-action-imap 
class type inspect sdm-protocol-pop3 
inspect 

service-policy pop3 sdm-action-pop3 
class type inspect sdm-protocol-p2p 
inspect 



service-policy p2p sdm-action-app-p2p 
class type inspect sdm-protocol-im 
inspect 

service-policy im sdm-action-app-im 
class type inspect sdm-insp-traffic 
inspect 

class type inspect SDM-Voice-permit 
inspect 

class class-default 
pass 

policy-map type inspect sdm-permit 
class class-default 
! 

zone security out-zone 
zone security in-zone 

zone-pair security sdm-zp-self-out source self destination out-zone 
service-policy type inspect sdm-permit-icmpreply 
zone-pair security sdm-zp-out-self source out-zone destination self 
service-policy type inspect sdm-permit 

zone-pair security sdm-zp-in-out source in-zone destination out-zone 
service-policy type inspect sdm-inspect 


interface FastEthernetO/O 
description $FW_INSIDE$ 
ip address 172.16.1.1 255.255.255.0 
zone-member security in-zone 
duplex auto 
speed auto 
! 

interface Serial0/0 
description $FW_OUTSIDE$ 
ip address 10.1.1.1 255.255.255.252 
zone-member security out-zone 


ip forward-protocol nd 



ip http server 
ip http authentication local 
ip http secure-server 
! 

access-list 100 remark SDM_ACL Category=128 
access-list 100 permit ip host 255.255.255.255 any 

access-list 100 permit ip 127.0.0.0 0.255.255.255 any 
access-list 100 permit ip 10.1.1.0 0.0.0.3 any 
! 

! 

! 

! 

control-plane 

! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 
privilege level 15 
password cisco 
login 
! 

! 

end 

R2 Configuration 

R2#show running-config 
Building configuration... 

Current configuration : 818 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 


hostname R2 



boot-start-ma rker 
boot-end-marker 
! 

no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wicO 
ip cef 
! 

! 

! 

! 

no ip domain lookup 
! 

multilink bundle-name authenticated 
! 

! 

! 

! 

! 

archive 
log config 
hidekeys 

! 

! 

! 

! 

! 

! 

! 

interface FastEthernetO/O 
no ip address 
shutdown 
duplex auto 
speed auto 
! 


interface SerialO/O 



ip address 10.1.1.2 255.255.255.252 
clock rate 768000 
! 

ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 Serial0/0 
! 

! 

ip http server 
ip http authentication local 
no ip http secure-server 
! 

! 

! 

! 

! 

control-plane 

! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 
privilege level 15 
password cisco 
login 
! 

! 

end 


<< previous lab \ CCNA Security Labs 
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